Jenkins build became unstable: dpkg-binaries » amd64 #226

[Jenkins Team at Grml]

See 


-- 
To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/431602156.1.1407489447348.JavaMail.jenkins@jenkins

Jenkins build became unstable: dpkg-binaries » i386 #226

[Jenkins Team at Grml]

See 


-- 
To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/706278435.0.1407489043004.JavaMail.jenkins@jenkins

Re: Jenkins build became unstable: dpkg-binaries » i386 #226

[Guillem Jover]

On Fri, 2014-08-08 at 11:10:42 +0200, Jenkins Team at Grml wrote:
> See 

I had already fixed this locally some weeks ago, will be included in
my next push which should be imminent now.

Thanks,
Guillem


-- 
To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140808094551.ga26...@gaara.hadrons.org

Re: Which version/change in dpkg made it fully honour file modes?

[Michael Tautschnig]

Hi Guillem, all,

On Sat, Jun 14, 2014 at 14:01:33 +0200, Guillem Jover wrote:
[...]
> > So it seems that wheezy's dpkg ignores this:
> > 
> > diff --git a/NEWS b/NEWS
> > new file mode 12
> > 
> > while sid's dpkg fully interprets the this-is-a-symlink bit.
> 
> Actually dpkg-source does not even know about git-style patches, it's
> just that the patch program has started recognizing them since version
> 2.7. There's already 749070, and I had pending sending a mail to d-d,
> precisely looking for possible build breakages. Anyway I'll try to whip
> up that mail today.
> 
[...]

As I have seen a few more packages doing this recently, could you please send me
a pointer to the mail thread on d-d - I seem to have missed this I'm afraid (and
749070 doesn't yet have further info).

Thanks and sorry,
Michael

PS.: Still not subscribed to d-dpkg, so a CC on replies would be appreciated.



pgpORpDRjpfGe.pgp
Description: PGP signature

[RFC PATCH 0/3] Including file signatures in .deb packages]

[Mimi Zohar]

Hi,

We're looking to include file signatures in the different package
formats (eg.rpm, deb) and install them as 'security.ima' extended
attributes(xattrs).  These signatures could then be used to enforce
local file integrity and included in the IMA measurement list to
provide file provenance.

This patch set adds debhelper support for dpkg for adding file
signatures to .deb packages and for installing those signatures as
IMA xattrs at package install time.

The existing md5sums file contains the file hash and name for each file
included in the package.  This makes it the most logical place for
storing the file signatures, other than the hash being md5.  For now,
this patch set assumes the existence of an equivalent sha256sums file.
(For convenience, I've duplicated the dh_md5sums helper naming it
dh_sha256sums.)

Depending on the relationship of the build and signing server, the
signatures could either be appended during the package build process
or post build.  Included in this patch set is a sample script that
opens the package, extracts the sha256sums file, appends the
signatures, and inserts the new sha256sums file with the appended
signatures in the deb package.

To install the file signatures, this patch set defines the debhelper
dh_installfile-sigs and the postinst-file-sigs autoscript.  Although
the sha256sums file should contain signatures for all files, the
autoscript currently only installs the signatures for ELF files and
scripts, making them "immutable".

Mimi Zohar (3):
  Define a new debhelper dh_installfile-sigs and postinst autoscript
  Temporarily define a deb helper dh_sha256sums
  Include sample script named ima-signhashes.sh

 autoscripts/postinst-file-sigs |  17 +++
 dh |   2 +
 dh_installfile-sigs|  46 +++
 dh_sha256sums  | 101 +
 examples/ima-signhashes.sh |  79 
 5 files changed, 245 insertions(+)
 create mode 100644 autoscripts/postinst-file-sigs
 create mode 100755 dh_installfile-sigs
 create mode 100755 dh_sha256sums
 create mode 100755 examples/ima-signhashes.sh

-- 
1.8.1.4


-- 
To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1407517061-22451-1-git-send-email-zo...@linux.vnet.ibm.com

[RFC PATCH 2/3] Temporarily define a deb helper dh_sha256sums

[Mimi Zohar]

The dh_sha256sums helper is included in this patch set for convience,
as it duplicates, with minimal changes to support sha256 hashes, the
existing dh_md5sums helper.  Subsequent posts should address this
duplication.
---
 dh|   1 +
 dh_sha256sums | 101 ++
 2 files changed, 102 insertions(+)
 create mode 100755 dh_sha256sums

diff --git a/dh b/dh
index 4f80f75..360cae0 100755
--- a/dh
+++ b/dh
@@ -409,6 +409,7 @@ my @b=qw{
dh_installdeb
dh_gencontrol
dh_md5sums
+   dh_sha256sums
dh_builddeb
 };
 $sequences{clean} = [qw{
diff --git a/dh_sha256sums b/dh_sha256sums
new file mode 100755
index 000..6d1607f
--- /dev/null
+++ b/dh_sha256sums
@@ -0,0 +1,101 @@
+#!/usr/bin/perl -w
+
+=head1 NAME
+
+dh_sha256sums - generate DEBIAN/sha256sums file
+
+=cut
+
+use strict;
+use Cwd;
+use Debian::Debhelper::Dh_Lib;
+
+=head1 SYNOPSIS
+
+B [S>] [B<-x>] [B<-X>I] 
[B<--include-conffiles>]
+
+=head1 DESCRIPTION
+
+B is a debhelper program that is responsible for generating
+a F file, which lists the sha256sums of each file in the 
package.
+These files are used by the B package.
+
+All files in F are omitted from the F file, as are all
+conffiles (unless you use the B<--include-conffiles> switch).
+
+The sha256sums file is installed with proper permissions and ownerships.
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<-x>, B<--include-conffiles>
+
+Include conffiles in the sha256sums list. Note that this information is
+redundant since it is included elsewhere in Debian packages.
+
+=item B<-X>I, B<--exclude=>I
+
+Exclude files that contain I anywhere in their filename from
+being listed in the sha256sums file.
+
+=back
+
+=cut
+
+init(options => {
+   "x" => \$dh{INCLUDE_CONFFILES}, # is -x for some unknown historical 
reason..
+   "include-conffiles" => \$dh{INCLUDE_CONFFILES},
+});
+
+foreach my $package (@{$dh{DOPACKAGES}}) {
+   next if is_udeb($package);
+
+   my $tmp=tmpdir($package);
+
+   if (! -d "$tmp/DEBIAN") {
+   doit("install","-d","$tmp/DEBIAN");
+   }
+
+   # Check if we should exclude conffiles.
+   my $exclude="";
+   if (! $dh{INCLUDE_CONFFILES} && -r "$tmp/DEBIAN/conffiles") {
+   # Generate exclude regexp.
+   open (CONFF,"$tmp/DEBIAN/conffiles");
+   while () {
+   chomp;
+   s/^\///;
+   $exclude.="! -path \"./$_\" ";
+   }
+   close CONFF;
+   }
+
+   # See if we should exclude other files.
+   if (defined($dh{EXCLUDE_FIND}) && $dh{EXCLUDE_FIND} ne '') {
+   $exclude.="! \\( $dh{EXCLUDE_FIND} \\) ";
+   }
+
+   my $find="find . -type f $exclude ! -regex './DEBIAN/.*' -printf 
'%P\\0'";
+   complex_doit("(cd $tmp >/dev/null ; $find | LC_ALL=C sort -z | xargs 
-r0 sha256sum > DEBIAN/sha256sums) >/dev/null");
+   # If the file's empty, no reason to waste inodes on it.
+   if (-z "$tmp/DEBIAN/sha256sums") {
+   doit("rm","-f","$tmp/DEBIAN/sha256sums");
+   }
+   else {
+   doit("chmod",644,"$tmp/DEBIAN/sha256sums");
+   doit("chown","0:0","$tmp/DEBIAN/sha256sums");
+   }
+}
+
+=head1 SEE ALSO
+
+L
+
+This program is a part of debhelper.
+
+=head1 AUTHOR
+
+Joey Hess 
+(Modified by Mimi Zohar  to support sha256)
+
+=cut
-- 
1.8.1.4


-- 
To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1407517061-22451-3-git-send-email-zo...@linux.vnet.ibm.com

[RFC PATCH 1/3] Define a new debhelper dh_installfile-sigs and postinst autoscript

[Mimi Zohar]

This patch defines a debhelper dh_installfile-sigs and autoscript
postinst-file-sigs to install the ELF file and script signatures
stored in the sha256sums file.
---
 autoscripts/postinst-file-sigs | 17 
 dh |  1 +
 dh_installfile-sigs| 46 ++
 3 files changed, 64 insertions(+)
 create mode 100644 autoscripts/postinst-file-sigs
 create mode 100755 dh_installfile-sigs

diff --git a/autoscripts/postinst-file-sigs b/autoscripts/postinst-file-sigs
new file mode 100644
index 000..8430d0b
--- /dev/null
+++ b/autoscripts/postinst-file-sigs
@@ -0,0 +1,17 @@
+file=$(dpkg-query --control-path #PACKAGE# sha256sums)
+if [ "$1" = "configure" ]; then
+   if [ -e "${file}" ]; then
+   while read -r line; do
+   fn=$(echo "${line}" | awk '{print $2}')
+   sig=$(echo "${line}" | awk '{print $3}')
+   if [ ! -n "$sig" ]; then
+   continue;
+   fi
+
+   file --brief $fn | grep -e 'ELF' -e 'script' > /dev/null
+   if [ $? -eq 0 ]; then
+   setfattr -n 'security.ima' -v 0x$sig $fn
+   fi
+   done < "${file}"
+   fi
+fi
diff --git a/dh b/dh
index f3bd321..4f80f75 100755
--- a/dh
+++ b/dh
@@ -373,6 +373,7 @@ my @i = qw{
dh_installifupdown
dh_installinfo
dh_installinit
+   dh_installfile-sigs
dh_installmenu
dh_installmime
dh_installmodules
diff --git a/dh_installfile-sigs b/dh_installfile-sigs
new file mode 100755
index 000..200932d
--- /dev/null
+++ b/dh_installfile-sigs
@@ -0,0 +1,46 @@
+#!/usr/bin/perl -w
+
+=head1 NAME
+
+dh_installfile-sigs - install file signatures in the DEBIAN/sha256sums file as 
xattrs
+
+=cut
+
+use strict;
+use Cwd;
+use Debian::Debhelper::Dh_Lib;
+
+=head1 SYNOPSIS
+
+B
+
+=head1 DESCRIPTION
+
+B is a debhelper program that is responsible for 
automatically
+generating the F commands needed to install file signatures 
contained in
+the F file.  These commands are inserted into the maintainer
+scripts by L.
+
+=cut
+
+init();
+
+foreach my $package (@{$dh{DOPACKAGES}}) {
+
+   if (! $dh{NOSCRIPTS}) {
+   
autoscript($package,"postinst","postinst-file-sigs","s!#PACKAGE#!$package!g");
+   }
+}
+
+
+=head1 SEE ALSO
+
+L
+
+This program is a part of debhelper.
+
+=head1 AUTHOR
+
+Mimi Zohar 
+
+=cut
-- 
1.8.1.4


-- 
To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1407517061-22451-2-git-send-email-zo...@linux.vnet.ibm.com

[RFC PATCH 3/3] Include sample script named ima-signhashes.sh

[Mimi Zohar]

This script extracts the sha256sum file from the deb package,
appends the file signatures using the ima-evm-utils package, and
inserts the sha256sum file with signatures in the package.
---
 examples/ima-signhashes.sh | 79 ++
 1 file changed, 79 insertions(+)
 create mode 100755 examples/ima-signhashes.sh

diff --git a/examples/ima-signhashes.sh b/examples/ima-signhashes.sh
new file mode 100755
index 000..4137467
--- /dev/null
+++ b/examples/ima-signhashes.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+#
+# ima-signhashes.sh - replace the sha256sums file in the .deb package with
+# a version containing the file signatures.  The file signatures provide 
+# file authenticity and provenance.  As part of the package install process,
+# the file signatures are stored as extended attributes associated with
+# the file. IMA-appraisal, if enabled, will appraise file integrity based 
+# on these file signatures.
+# 
+# Mimi Zohar 
+
+# format:  
+
+set -e
+DEBPACKAGE="${1}"
+PRIVKEY="$2"
+tmpdir="${DEBPACKAGE}.tmp"
+
+if [ $# -ne 2 ]; then
+   echo "$0:  "
+   exit -1
+fi
+
+if [ ! -f "${DEBPACKAGE}" ]; then
+   echo ".deb package not found: ${DEBPACKAGE}" 
+   exit -1
+fi
+
+if [ ! -f "${PRIVKEY}" ]; then
+   echo "Private key not found: ${PRIVKEY}" 
+   exit -1
+fi
+
+# extract files from the .deb archive into a temporary directory
+if [ -d "${tmpdir}" ]; then
+   rm -rf "${tmpdir}"
+   if [ $? -ne 0 ]; then
+   echo "Deleting directory failed: ${tmpdir}"
+   exit -1 
+   fi
+fi
+mkdir -p "${tmpdir/DEBIAN}"
+if [ $? -ne 0 ]; then
+   echo "Creating directory failed: ${tmpdir}/DEBIAN"
+   exit -1
+fi
+
+cd $tmpdir 
+ar -x "../$DEBPACKAGE"
+#ls -lat 
+
+# untar the control file in the DEBIAN subdirectory
+if [ ! -f ./control.tar.gz ]; then
+   echo ".deb package missing 'control.tar.gz' file"
+   exit -1
+fi
+mkdir -p DEBIAN
+cd DEBIAN
+tar -xvzf ../control.tar.gz
+if [ ! -f ./sha256sums ]; then
+   echo "'control.tar.gz' missing sha256 file"
+   ls -lat 
+   exit -1
+fi
+cat sha256sums
+
+# Replace sha256sums with one containing file signatures
+cat ./sha256sums | evmctl sign_hash -a sha256 --key "${PRIVKEY}" > 
sha256sums.sig
+if [ $? == 0 ]; then
+   cp ./sha256sums.sig ./sha256sums
+   rm ./sha256sums.sig
+fi
+
+# create the control tar containing the new sha256sums with the signatures
+tar -cvzf ../control.tar.gz ./*
+
+# replace the existing compressed tar file in the  .deb package
+cd ..
+ar -r "../$DEBPACKAGE" control.tar.gz
-- 
1.8.1.4


-- 
To UNSUBSCRIBE, email to debian-dpkg-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
https://lists.debian.org/1407517061-22451-4-git-send-email-zo...@linux.vnet.ibm.com